Appl. No. 10/671,202 

Amdt. dated May 16, 2007 

Reply to Office Action of March 9, 2007 



This listing of claims replaces all prior versions, and 
listings of claims in the instant application: 

Listing of Claims; 

1. (Currently amended) A method comprising: 
stalling a call to- a critical operating system (OS) 

function; and 1 

determining whether said call is from execution of a 
return instruction comprising: 

looking up a value at a previous top of stack; and 

determining whether said value is equivalent to an address 
of said critical OS function, 

wherein upon a determination that said call is from 
execution of said return instruction during said determining, 
said method further comprising taking protective action to 
protect a computer system . 

2. (Canceled) 



3. (Currently amended) The method of Claim 3—1 wherein a 
determination is made that said call is from execution of a 
return instruction when a determination is made that said value 
is equivalent to said address of said critical OS function. 



4. (Currently amended) The method of Claim 5—1 wherein a 
determination is made that said call is not from execution of a 
return instruction when a determination is made that said value 
is not equivalent to said address of said critical OS function. 



5. (Canceled) 
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6. (Currently amended) The method of Claim 3—1 further 
comprising allowing said call to proceed upon a determination 
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that said value is not equivalent to said address of said 
critical OS function. 

7. (Currently amended) The method of Claim 5—1 wherein 
said previous top of stack is at address [ESP-4] . 

8. (Original) The method of Claim 7 wherein a top of 
stack is at address [ESP] . 

9. (Canceled) 

10. (Currently amended) The method of Claim -9-1 wherein 
said taking protective action comprises terminating said call. 

11. (Currently amended) The method of Claim -9—1 wherein 
said taking protective action comprises terminating a call 
module originating said call. 

12. (Currently amended) The method of Claim -9-1 wherein 
said taking protective action comprises terminating a parent 
application comprising a call module originating said call. 

13. (Currently amended) The method of Claim 9-1 further 
comprising providing a notification that said protective action 
has been taken. 

14. (Currently amended) The method of Claim 1 wherein 
upon a determination that said call is from execution of said 
return instruction during said determining, said method further 
comprising determining whether said call is a known false 
positive . 
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15. (Currently amended) The method of Claim 14 wherein 
upon a determination that said call is not said known false 
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positive, said method further comprising taking protective 
action to protect a computer system is performed . 

16. (Currently amended) The method of Claim further 
comprising providing a notification that said protective action 
has been taken. 



17. (Original) The method of Claim 14 wherein upon a 
determination that said call is said known false positive, said 
method further comprising allowing said call to proceed. 

18. (Original) The method of Claim 1 further comprising 
hooking said critical OS function. 

19. (Original) The method of Claim 1 further comprising 
originating said call to said critical OS function. 

20. (Original) The method of Claim 1 wherein said 
critical OS function is necessary for a first application to 
cause execution of a second application. 

21. (Original) The method of Claim 20 wherein said 
second application allows remote access of a computer system. 
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22. (Original) A method comprising: 
stalling a call to a critical operating system (OS) 
function; 

looking up a value at a previous top of stack; and 
determining whether said value is equivalent to an address 
of said critical OS function, wherein upon a determination that 
said value is equivalent to said address of said critical OS 
function, said method further comprising taking protective 
action to protect a computer system. 
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23. (Original) The method of Claim 22 wherein upon a 
determination that said value is not equivalent to said address 
of said critical OS function, said method further comprising 
allowing said call to proceed. 

24. (Currently amended) A computer program product 
comprising a tangible computer readable medium containing 
computer program code comprising : 

a Return-to-LIBC attack blocking application for stalling 
a call to a critical operating system (OS) function; 

said Return-to-LIBC attack blocking application further 
for looking up a value at a previous top of stack; and 

said Return-to-LIBC attack blocking application further 
for determining whether said value is equivalent to an address 
of said critical OS function, wherein upon a determination that 
said value is equivalent to said address of said critical OS 
function, said Return-to-LIBC attack blocking application 
further for taking protective action to protect a computer 
system comprising said Return-to-LIBC attack blocking 
application. 
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